First, decide which trust you want to use for lateral movement. If you want to use the token in one of your Beacons, check the Use session’s current access token box. If you want to use credentials or hashes for lateral movement—that’s OK too. Select credentials from the credential store or populate the User, Password, and Domain fields. Beacon will use this information to generate an access token for you. Keep in mind, you need to operate from a high integrity context [administrator] for this to work.

Next, choose the listener to use for lateral movement. The SMB Beacon is usually a good candidate here.

Last, select which session you want to perform the lateral movement attack from. Cobalt Strike’s asynchronous model of offense requires each attack to execute from a compromised system. There is no option to perform this attack without a Beacon session to attack from. If you’re on an internal engagement, consider hooking a Windows system that you control and use that as your starting point to attack other systems with credentials or hashes.

Press Launch. Cobalt Strike will activate the tab for the selected Beacon and issue commands to it. Feedback from the attack will show up in the Beacon console.